Hacker News: mjmas

New comment by mjmas in "FBI director's Based Apparel site has been spotted hosting a 'ClickFix' attack"

mjmas — Sat, 23 May 2026 01:03:38 +0000

> The attack suggests a hacker compromised some portion of BasedApparel.com

New comment by mjmas in "Why We've Filed a Referendum"

mjmas — Sat, 23 May 2026 00:27:10 +0000

> That's... their choice, of course, but doesn't seem logical to me.

Wouldn't the question be more simply, Do you want your power bills to go up for the same power used?

And the nuclear accidents that have happend have mostly been overblown (apart from Chernobyl).

New comment by mjmas in "Mozilla to UK regulators: VPNs are essential privacy and security tools"

mjmas — Sun, 17 May 2026 08:45:20 +0000

The very same office of the eSafety commissioner that is enforcing age verification for social media.

https://www.esafety.gov.au/newsroom/blogs/social-media-minim...

New comment by mjmas in "Tell NYT, Atlantic, USA Today to keep Wayback Machine"

mjmas — Wed, 13 May 2026 10:41:29 +0000

Is there a difference between that and User-agent: ia_archiver ?

New comment by mjmas in "Stop MitM on the first SSH connection, on any VPS or cloud provider"

mjmas — Mon, 11 May 2026 06:03:05 +0000

It does note that it only protects against an attacker "who learns the cloud-init user-data at any point after the script terminates".

If the attacker can get the cloud-init user-data while the script is still running (in the time between sending the cloud-config.yaml and connecting with SSH to the machine) that would still allow MitM, but would require more effort on the attacker's part to leak the cloud-init data.

The point of the script was that leaking the cloud-init data after the script has completed is harmless.

New comment by mjmas in "The locals don't know"

mjmas — Mon, 11 May 2026 05:45:09 +0000

OT, but I didn't know that .com allowed domains with a double-dash.

New comment by mjmas in "CVE-2026-31431: Copy Fail vs. rootless containers"

mjmas — Tue, 05 May 2026 12:58:34 +0000

Though this won't work for some kernels:

If algif_aead was a builtin module, it needs to be disabled by adding initcall_blacklist=algif_aead_init to the boot cmdline.

However initcall_blacklist requires the kernel to be built with CONFIG_KALLSYMS.

New comment by mjmas in "CVE-2026-31431: Copy Fail vs. rootless containers"

mjmas — Tue, 05 May 2026 12:41:23 +0000

Having write access on anything you can read should be enough if libraries or binaries are shared (read-only) between the host and container.

New comment by mjmas in "Kids can bypass some age checks with a drawn-on mustache"

mjmas — Tue, 05 May 2026 12:26:26 +0000

> let them all go there and not bother normal people.

The normal state does include people with children.

New comment by mjmas in "Microsoft Edge stores all passwords in memory in clear text, even when unused"

mjmas — Tue, 05 May 2026 02:53:52 +0000

Yes, but the pin uses the TPM which allows other things like only ever allowing a low number of guesses before requiring a reset of the pin (using a password or other mechanism)

New comment by mjmas in "I don't want your PRs anymore"

mjmas — Tue, 21 Apr 2026 21:55:13 +0000

Do you accept bug reports that just say "it doesn't work" or do you require reproducibility?

New comment by mjmas in "It is incorrect to "normalize" // in HTTP URL paths"

mjmas — Sat, 18 Apr 2026 13:04:13 +0000

> And at least according to this, the default setting is off

It appears to not default to off on my install (AlmaLinux 10).

I just tested now. Cloudflare normalises ../ and ./ paths and then the nginx proxy appears to normalise // to /:

nginx log:

  1234:: - - [18/Apr/2026:12:59:05 +0000] "GET //test//doubleslash/url HTTP/1.1" 404 158 "-" "curl/8.19.0" "1234::"

lighttpd log:

  1234:: - - [18/Apr/2026:12:59:04 +0000] "GET /test/doubleslash/url HTTP/1.0" 404 158 "-" "curl/8.19.0"

New comment by mjmas in "It is incorrect to "normalize" // in HTTP URL paths"

mjmas — Sat, 18 Apr 2026 12:48:49 +0000

Agreed. Reading through the RFC it certainly appears to support the blog article.

And looking around I found this SO answer noting nothing in the RFC:

https://stackoverflow.com/a/24661288

New comment by mjmas in "It is incorrect to "normalize" // in HTTP URL paths"

mjmas — Sat, 18 Apr 2026 12:43:59 +0000

And there are different rules for the email in the envelope and the message. One allows the user part of the email to contain spaces and the other doesn't.

New comment by mjmas in "All 12 moonwalkers had "lunar hay fever" from dust smelling like gunpowder (2018)"

mjmas — Sat, 18 Apr 2026 00:55:38 +0000

See: Polio

https://en.wikipedia.org/wiki/History_of_polio

> [...] Better hygiene meant that infants and young children had fewer opportunities to encounter and develop immunity to polio. Exposure to poliovirus was therefore delayed until late childhood or adult life, when it was more likely to take the paralytic form.[22]

New comment by mjmas in "A Python Interpreter Written in Python"

mjmas — Fri, 17 Apr 2026 10:15:36 +0000

> technically a python subset

So it can just run under CPython? If so, then that isn't too misleading.

New comment by mjmas in "The dangers of California's legislation to censor 3D printing"

mjmas — Tue, 14 Apr 2026 21:53:09 +0000

> was a thing

Still a thing in Australia.

New comment by mjmas in "CPU-Z and HWMonitor compromised"

mjmas — Sat, 11 Apr 2026 14:16:58 +0000

> PHP-era

PHP-era is still today

New comment by mjmas in "A compelling title that is cryptic enough to get you to take action on it"

mjmas — Sat, 11 Apr 2026 07:03:02 +0000

A second reply that happened because the article reappeared on the front page.

New comment by mjmas in "JSON formatter Chrome plugin now closed and injecting adware"

mjmas — Sat, 11 Apr 2026 05:42:53 +0000

The author's response to one of the reviews:

https://chromewebstore.google.com/review-reply/b4a787df-64e5...

> Give Freely is not spyware/adware or any kind of 'scam'. It's an optional donation appeal that asks you (if you happen to visit a retailer which happens to be a Give Freely partner) to click a button to donate unclaimed affiliate fees, with most of the money going to Code.org or another charity of your choice. I've met the Give Freely team and trust them. It does not collect any PII or browsing activity, and it doesn't overwrite other affiliate/voucher codes so it never costs you anything. If you find the donation popup too intrusive/annoying you can disable it forever in the extension options, or in the donation popup itself.

> Code.org is a good cause that's relevant to a lot of the same people who use this extension regularly, and clicking a Give Freely donate button is a genuinely free and anonymous way to show your support for both, if you want to. If you don't like it you can turn it off, or if it makes you more comfortable you can switch to JSON Formatter Classic, which has no Give Freely code and corresponds with the v0.8 branch in my archived json-formatter GitHub repo. Or try one of the many forks or alternatives available on the store.

> JSON Formatter Classic: https://chromewebstore.google.com/detail/json-formatter-clas...